Security firm Secunia Research of Denmark has rated a newly discovered hole in Microsoft's Internet Explorer as "highly critical." This flaw is found in the "createTextRange ()" procession and could put computer users at the mercy of hackers.
"This can be exploited by a malicious Web site to corrupt memory in a way that allows the program flow to be redirected to the heap," Secunia said in the alert posted on its web site. "The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2.
The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview." The statement added that other versions could also be affected. But the MSRC (Microsoft Security Response Center) said in a blog entry that the new refresh version of IE 7, which was demonstrated in Mix '06 was not affected by this flaw.
"Customers who use supported versions of Outlook or Outlook Express aren't at risk from the e-mail vector since script doesn't render in mail [being read in the restricted sites zone]," said Lennart Wistrand, a program manager with the Response Center. He added that users should turn off Active Scripting in order to avoid getting hit by hackers.
"We have confirmed this vulnerability," wrote Wistrand. "I am writing a Microsoft Security Advisory on this…but we wanted to make sure customers knew we were aware of this and we will address it in a security update." This new flaw comes just 24 hours after the MSRC confirmed the presence of another bug that crashes the IE and initiates a denial of service attack.
